There's More to SOAR

Orchestrating and Automating Interactions of Security Analysts Across Disparate Security Products Can Deliver a Significant Return on Investment

Ever since the industrial revolution, which began more than 200 years ago, automation has played a role in our world. Today automation is woven into the fabric of our daily lives – from paying bills to making coffee to controlling the temperature in our homes. The emphasis of automation has been to reduce the time humans spend on mundane tasks so that they can focus more time on higher-value activities.

There’s a place for automation in every industry, security included. As security professionals, we’ve talked about automation for decades yet, as I’ve discussed before, haven’t fully embraced it for a variety of reasons. However, over the last couple of the years we’ve started to see a shift. With the advent and expansion of Security Orchestration, Automation and Response (SOAR), automation now is starting to take hold.

Gartner is credited with having coined the term SOAR and has written extensively on the topic. Many security vendors are entering the SOAR market, and many are focused on automating playbooks for incident response (IR). There’s no arguing this is important – accelerating mean time to response (MTTR) is a top imperative for security teams in every organization. But SOAR it is a term that can cover so much more. Defenders shouldn’t limit themselves to only automating playbooks. There are many additional activities as part of security operations that can benefit from automation and orchestration. Here are just three examples.

1. Detect threats faster. One important measurement of security effectiveness is the speed with which security operations can detect threats. I don’t mean shaving off an hour or even 10 minutes in mean-time-to-detection (MTTD), although there’s value in that. Many companies cannot detect a threat on their network for weeks or even months. The 2018 Ponemon Cost of a Data Breach Study puts MTTD at 197 days. Even a 5-10 percent reduction could mean finding a breach a week or more sooner – reducing the time hackers have to do damage and the associated costs of the breach. In fact, the study reports that companies that identified a breach in less than 100 days saved more than $1 million dollars, in contrast to those that took more than 100 days.

To find threats faster, organizations use a range of threat intelligence products. But sometimes these solutions don’t proactively push data and need to be polled. They also produce data in different formats. You can reduce MTTD by bringing all that threat intelligence together in a format that is usable, quickly. Automating that aspect of your security operations allows you to accelerate detection and investigation so you can understand what’s at risk and, if high priority, determine the nature of the risk and the best approach to remediate the problem.

2. Optimize scarce resources. Given the cybersecurity talent shortage, reducing the time highly-skilled resources spend on mundane tasks through automation is critical. Security professionals are hard to find, expensive to hire and difficult to retain. You need to be efficient in how you leverage them – why spend an hour when they can perform the same task in 10 minutes? You also reduce the risk of burnout and turnover by automating tedious tasks.

For instance, security analysts spend a lot of time manually going into and out of different administration consoles, clicking around until they find what they need, setting up filters, correlating data, and copying and pasting back and forth between systems. If they haven’t saved the data they just looked up, they must repeat the entire process. Instead, something as straightforward as applying automation to pull data from these different security products and aggregating them into a single, easy to read pane can save a tremendous amount of time and frustration. Orchestrating and automating the interactions of security analysts across disparate security products can deliver a significant return on investment.

3. Achieve the impossible. This sounds lofty, but there are some things humans simply can’t do manually, either because the data is in a format that humans can’t process and consume on their own, or there is simply too much data. Consider cases where two or more products don’t talk to each other out-of-the-box and need an intermediary. A great example is dealing with corporate visitors who need wireless connectivity when they’re onsite for a meeting. Often what happens is that individuals share guest wireless accounts, but this creates accountability issues. If you discover some sort of activity – whether inadvertent or malicious – that has exposed the company to risk, it’s difficult to impossible to identify the source. By integrating the badging system used for physical security with the guest wireless system managed through IT, and then orchestrating and automating the onboarding process you can remove the accountability problem.

Now let’s look at an example of making effective use of massive volumes of data. Through orchestration and automation, you can gather threat intelligence from the cloud, translate it into a useable format and create new blacklists. You can then reconfigure a firewall based on that latest threat intelligence to proactively strengthen security – all without human intervention.

In each of these examples you’re using SOAR to improve security operations – be it detecting threats faster, making better use of security talent, or making the impossible, possible. Accelerating IR is important. But there’s a lot more to SOAR.

Ashley Arbuckle, Cisco’s VP/GM, Global Security Customer Experience, is responsible for the company’s security services portfolio, designed to accelerate customers’ success and deliver an exceptional customer experience. With over 20 years of security and customer success experience, Arbuckle has a long record of accomplishments that span security consulting, enterprise security operations, product management and general manager responsibilities. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo, where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.